Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Attack Vectors That Leave Your 802.1X Network Vulnerable

Key Points
  • 802.1X is vulnerable to attacks if specific security measures are not implemented properly. The main attack vectors are MITM attacks, vulnerable IoT devices, and PEAP-MSCHAPv2 vulnerabilities.
  • The PEAP-MSCHPv2 only supports passwords and credentials that can be stolen over the air, leading to MITM attacks. Unsecured IoT devices cannot be accounted for or monitored, making them a huge security risk on an 802.1X network.
  • Using our managed APIs, populate users, devices, and IoTs with a digital certificate and segregate them into VLANs for superior network security for MDM and BYOD.

When used correctly, 802.1X authentication is the gold standard for network security. However, even seasoned IT professionals fail to recognize some key points of attack. If they are left unchecked, they can lead to an 802.1X network vulnerability.

With 95% of cybersecurity breaches being caused by human error, it’s important to account for any possible security lapse. SecureW2’s turnkey Cloud PKI and RADIUS services provide everything you need to move from PSK to 802.1X. Read about how easy it was for one of our customers to configure SecureW2 PKI.

In this article, we’ll take a look at these weak points and find the best ways of preventing hackers from exploiting them.

Attacking Devices Without EAP-TLS

Your users have strong, unique passwords, your networks are protected with WPA2-Enterprise encryption, and you use 802.1X for authentication. Your network should be safe and secure, right? Unfortunately not.

Through a man-in-the-middle attack (MITM), an attacker can set up a rogue network and mimic the network SSID to steal personally identifiable information such as passwords. No matter how strong the password, credentials are always going to be vulnerable to this kind of attack.

The typical MITM attack is designed to trick a user into sending their credentials to an attacker rather than the authorized server. This can be prevented through the use of server certificate validation. Not only does it stop credentials from being sent over-the-air where they can be easily stolen, but it forces users to go through an enrollment process that further ensures their devices are configured correctly.

If security is paramount to your organization, then the risks associated with password-based authentication must be eliminated. There is no better way to do that than by replacing passwords with certificates.

Attacking Vulnerable IoT Devices

IoT (Internet of Things) is a burgeoning device type that can bring a whole new element of sophistication to a business; however, as a result of their relatively recent integration, many organizations have difficulty tracking this type of device. A Ponemon Institute study found 56% of risk professionals did not keep an inventory of IoT devices. Organizations that fail to recognize the threat that comes with unsecured IoT devices can leave hundreds of potential access points open for attacks.

IoT devices can be attacked with malware that breaches security and infects the entire network. An outside attacker can potentially control a vulnerable IoT device and conscript it into a botnet. Threat actors will use these massive botnets to distribute DDoS attacks and negate all use of the device. Worse, they can cause significant slowdowns for your network or steal valuable information.

It’s important to be aware of all devices on your network. The fact is if any device on your network is unsecured, it can be accessed or fall victim to an over-the-air attack. Uploading digital certificates to IoT devices is the best solution available because it is a lightweight solution that can be outfitted without compromising efficiency. An IoT device equipped with a certificate can be outfitted with attributes that make it easily accessible for identification management.

As the uses for IoT devices continue to grow every year, the glaring issue of weak security will become more prevalent and pose a greater risk. Equipping these devices with certificates is the best way to ensure none of your valuable assets are compromised.

PEAP-MSCHAPv2 Vulnerability

The 802.1X authentication protocol known as PEAP-MSCHAPv2 can be exploited to gain user login information from devices that are not properly configured to connect only to trusted RADIUS servers.

A MITM is still possible with MSCHAPv2 by simply using a fake SSID to get an authenticated user to auto-authenticate with the attacker’s spoofed network. A well-documented weakness in PEAP-MSCHAPv2’s encryption method allows the attacker to easily decrypt packets sent over the air, thereby allowing the attacker to acquire the user’s login credentials.

Using the EAP-TLS authentication protocol will get rid of the risk of over-the-air credential theft because no credentials are sent over-the-air. Credentials are used for one-time certificate enrollment, and the certificate is sent to the RADIUS server for authentication. It’s the most efficient protocol and provides a far better user experience because password-related issues are completely eliminated.

Certificate Solutions With SecureW2

Configuring users for certificates is the only reliable way to prevent MITM attacks. Many companies are wary of attempting the utilization of certificates because of foreseen difficulties with configuration, but SecureW2 can make things easy.

SecureW2’s JoinNow Solution software can simplify device onboarding for both BYODs and managed devices. For MDMs, We use SCEP Gateways to push profile configuration to managed devices that enable it to request a certificate with no user interaction. BYODs simply need to follow a few steps and are enrolled just as easily. With SecureW2, you can even generate custom client certificates and install them on your IoT devices, ensuring there are no attack vectors for malicious hackers

Credentials simply have no place in a modern security-focused environment. We provide cost-effective solutions for any organization that wants to make security a priority. Check out our certificate solution page for more information.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Attack Vectors That Leave Your 802.1X Network Vulnerable